M. Bellare and S. Micali, "How to sign given any trapdoor permutation," JACM Vol. 39, No. 1, 214-233, January 1992.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... of Probabilistic Encryption: see [40] where there is no p time algorithm A that has a non negligible advantage (in k, over all choices of KG and m 0 ; m 1 ) in distinguishing between E(PK;m 0 ) and E(PK;m 1 ) given (m 0 ; m 1 ; PK) 21 Definition 2: Signature Scheme [26, 41] by exposition of [4]) A digital signature has the following components: ffl A security parameter k, a message space and a key generation algorithm as above. ffl A signing scheme 8 S = S S ; SR ) where S S and SR are probabilistic p time algorithms run by the signer vs. the receiver of a signature s on a ....

M. Bellare and S. Micali, "How To Sign Given Any Trap-Door Permutation," Journal of the ACM, Vol. 39, No. 1, Jan 1992, pp. 214--233.

....basis. These cryptosystems are attractive because their computational model is more expressive than the standard number theoretic approaches, and they more efficient as well. More generally, there are results stating that any trapdoor function can be used for signing with provably high security [5]. This is in contrast to classical approaches which rely on the difficulty of factoring numbers or other numbertheoretic problems (without provable difficulty) Fundamental results of this nature are useful in attempting to integrate the theory into other problem domains. One time (or finite use) ....

Bellare, M., and Micali, S. How to sign given any trapdoor permutation. Journal of the Association for Computing Machinery 39, 1 (Jan. 1992), 214--233. 8

....security of any ordinary digital signature scheme, one has to make a computational assumption. The same argument also applies to the more general construction in [20] Hence the e#ort in the theoretical treatment of signature schemes after [20] concentrated on weakening the necessary assumptions [1, 30, 39]. Note, additionally, that with ordinary digital signatures, it is always the signer whose security relies on the computational assumption. If the signer were allowed to disavow forged signatures, she could also disavow her real signatures (because there is no di#erence between them) even if the ....

....may be realized by a certification hierarchy or a kind of phone book in practice) The use of such a channel should be minimized. In fact, some authors even require of ordinary digital signature schemes that after the initial key generation of fixed length, signing can go on polynomially forever [1, 30]. Hence one important result of the next two constructions is that they guarantee very short public keys. The basic idea behind these constructions is tree authentication. The same ideas underlie all published provably secure ordinary digital signature schemes; however, some variations necessitate ....

M. Bellare and S. Micali, How to sign given any trapdoor permutation, J. Assoc. Comput. Mach., 39 (1992), pp. 214--233.

....k) Probabilistic Encryption: see [15] for a formal definition. We say that E is a probabilistic encryption there is no poly time algorithm A that can distinguish between pairs (m; E(m) and (m; r) for random strings r 2 E( Delta) Definition 2: Signature Scheme [13, 17] by exposition of [2]) A digital signature scheme has the following components: ffl A security parameter k, a message space and a key generation algorithm as above. ffl A signing scheme S = SS ; SR ) where SS and SR are probabilistic p time algorithms run by the signer vs. the receiver of a signature s on a ....

M. Bellare, S. Micali, "How To Sign Given Any Trap-Door Permutation," Journal of the ACM, Vol. 39, No. 1, Jan 1992, pp. 214-233

....extremely fast, and indeed in our case each block (except for the first) is signed (and hence verified) only once with a 1 time key. We also use the idea to of using old keys in order to authenticate new keys. This has appeared in several places but always for long lived keys. Examples include [1, 16, 19] where this technique is used to build provably secure signature schemes. We stress that the results in [1, 16, 19] are mostly of theoretical interest and do not yield practical schemes. Our on line solution somehow mixes these two ideas in a novel way, by using the chaining technique with 1 time ....

....with a 1 time key. We also use the idea to of using old keys in order to authenticate new keys. This has appeared in several places but always for long lived keys. Examples include [1, 16, 19] where this technique is used to build provably secure signature schemes. We stress that the results in [1, 16, 19] are mostly of theoretical interest and do not yield practical schemes. Our on line solution somehow mixes these two ideas in a novel way, by using the chaining technique with 1 time keys, embedding the keys inside the stream flow so that old keys can authenticate at the same time both the new ....

M. Bellare, S. Micali. How to Sign Given any Trapdoor Permutation. J. of the ACM, 39(1):214-- 233, 1992.

No context found.

M. Bellare and S. Micali, "How to sign given any trapdoor permutation," JACM Vol. 39, No. 1, 214-233, January 1992.

No context found.

M. Bellare and S. Micali, "How to sign given any trapdoor permutation," JACM Vol. 39, No. 1, 214-233, January 1992.

No context found.

M. Bellare and S. Micali. How to sign given any trapdoor permutation. Journal of ACM, 39(1):214-233, January 1992.

....used upon each invocation of the oracle; if the scheme is stateful, the oracle maintains and updates the state. In particular the adversary has no way to force the oracle to reuse a particular set of coins for two signatures. This will be important later. The basic versions of the schemes of [GMRi, BeMi, NY1, Ro] are (randomized and) stateful. The more efficient schemes of [DwNa, CD] are also (randomized and) stateful. Examples of (randomized but) stateless schemes are those of [GHR, CS2] Although there seem to be few schemes that are naturally stateless, deterministic and secure, any signature scheme ....

M. Bellare and S. Micali, "How to sign given any trapdoor permutation," JACM, Vol. 39, No. 1, January 1992, pp. 214--233. 22

....schemes. However, we can briefly survey the schemes whose security has been proved under reasonable cryptographic assumptions. The first one was presented in [27] with efficiency improvements in [25] For an implementation, see [24] The necessary assumptions were successively weakened in [6], 38] 46] Recently, efforts have been made to improve the efficiency in [4] with an incomplete proof) and [19] 12] Note, however, that fail stop signature schemes (see below) also yield provably secure ordinary digital signature schemes, see [43] 40] and thus the first efficient ....

Mihir Bellare and Silvio Micali (1992). How to Sign Given Any Trapdoor Permutation. Journal of the ACM 39/1, 214--233.

....FLS protocol and indicate the source of the problem. We then, briefly, discuss our solution. Later sections specify the definitions and our solution in more detail. 1. 1 Trapdoor Permutations Let us begin by recalling, in some detail, the definition of a trapdoor permutation generator (we follow [BeMi]) and seeing what it means for such a generator to be certified. 1 Such a problem is not present in public key applications. If I wish to publish N and e to specify an RSA digitial signature scheme, there is no question of my incorrectly choosing e because it isn t to my advantage to do so. A ....

....by f under E is the map from f0; 1g n to f0; 1g n given by x 7 E(f ; x) 2.2 Trapdoor Permutations and Certified Ones Let us present a precise definition of trapdoor permutations and see what it means for them to be certified. The definition that follows is from Bellare and Micali [BeMi]. Definition 2.2 (Trapdoor Permutation Generator) Let G be a probabilistic, polynomial time algorithm, and let E; I be polynomial time algorithms. We say that (G; E; I) is a trapdoor permutation generator if the following conditions hold: ffl Generation: For every n 0, the output of G on input ....

[Article contains additional citation context not shown here]

M. Bellare and S. Micali. How to Sign Given any Trapdoor Permutation. JACM, Vol. 39, No. 1, January 1992, pp. 214-233.

No context found.

M. Bellare and S. Micali, "How to sign given any trapdoor permutation," JACM Vol. 39, No. 1, 214-233, January 1992.

....that RSA is trapdoor one way. Other standards, such as [9] are similar to [156] and the same statement applies. The schemes we discuss in the remainder of this section do not use the hash then decrypt paradigm. Signature schemes whose security can be provably based on the RSA assumption include [90, 17, 129, 154, 68]. The major plus of these works is that they do not use an ideal hash function (random oracle) model the provable security is in the standard sense. On the other hand, the security reductions are quite Cryptography: Lecture Notes 117 loose for each of those schemes. On the efficiency front, ....

....is that they do not use an ideal hash function (random oracle) model the provable security is in the standard sense. On the other hand, the security reductions are quite Cryptography: Lecture Notes 117 loose for each of those schemes. On the efficiency front, the efficiency of the schemes of [90, 17, 129, 154] is too poor to seriously consider them for practice. The Dwork Naor scheme [68] on the other hand, is computationally quite efficient, taking two to six RSA computations, although there is some storage overhead and the signatures are longer than a single RSA modulus. This scheme is the best ....

M. Bellare and S. Micali. How to sign given any trapdoor permutation. Journal of the ACM, 39(1):214-- 233, January 1992.

....that RSA is trapdoor one way. Other standards, such as [1] are similar to [16] and the same statement applies. The schemes we discuss in the remainder of this section do not use the hash then decrypt paradigm. Signature schemes whose security can be provably based on the RSA assumption include [9, 2, 11, 20, 6]. The major plus of these works is that they do not use an ideal hash function (random oracle) model the provable security is in the standard sense. On the other hand, the security reductions are quite loose for each of those schemes. On the efficiency front, the efficiency of the schemes of ....

....6] The major plus of these works is that they do not use an ideal hash function (random oracle) model the provable security is in the standard sense. On the other hand, the security reductions are quite loose for each of those schemes. On the efficiency front, the efficiency of the schemes of [9, 2, 11, 20] is too poor to seriously consider them for practice. The Dwork Naor scheme [6] on the other hand, is computationally quite efficient, taking two to six RSA computations, although there is some storage overhead and the signatures are longer than a single RSA modulus. This scheme is the best ....

M. Bellare and S. Micali, "How to sign given any trapdoor permutation," JACM Vol. 39, No. 1, 214-233, January 1992.

No context found.

M. Bellare and S. Micali. How to sign given any trapdoor permutation. J. ACM, 39(1):214--233, 1992.

No context found.

M. Bellare and S. Micali. How to sign given any trapdoor permutation. J. ACM, 39(1):214--233, 1992.

No context found.

M. Bellare and S. Micali. How to sign given any trapdoor permutation. Journal of the ACM, Vol. 39, No. 1, January 1992, pp. 214--233.

No context found.

M. Bellare and S. Micali. How to sign given any trapdoor permutation. Journal of the ACM, Vol. 39, No. 1, January 1992, pp. 214--233.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC